Hi, i've read the thread about idmap customization, i'm planning an integration between windows AD and MIT kerberos, and i was very interested on the subject. Now we are authenticating windows AD user against mit kerberos realm with a cross-domain trust, and with windows client everythings works. Ie. Authentication is done with kerberos mit and authorization is done with windows AD. Now i'm working to let linux computers authenticate users. What i need it to Authenticate user agains mit kerberos with pam_krb5 (user@REALM), and get authorization from windows AD (DOMAIN+user). The main problem is that i can force user to append @REALM for pam_krb5, but i need user to be in form "user" and not "DOMAIN+user" for a domain that is not the "workgroup" of the computer. Would it be much work to add a parameter to specify windbind default domain to be different from computer workgroup? even if a complete customization of user name and group name would be preferred a custom default domain could be enought for me. Is this possible? Regards, -- Miolinux
Hi, i've read the thread about idmap customization, i'm planning an integration between windows AD and MIT kerberos, and i was very interested on the subject. Now we are authenticating windows AD user against mit kerberos realm with a cross-domain trust, and with windows client everythings works. Ie. Authentication is done with kerberos mit and authorization is done with windows AD. Now i'm working to let linux computers authenticate users. What i need it to Authenticate user agains mit kerberos with pam_krb5 (user@REALM), and get authorization from windows AD (DOMAIN+user). The main problem is that i can force user to append @REALM for pam_krb5, but i need user to be in form "user" and not "DOMAIN+user" for a domain that is not the "workgroup" of the computer. Would it be much work to add a parameter to specify windbind default domain to be different from computer workgroup? even if a complete customization of user name and group name would be preferred a custom default domain could be enought for me. Is this possible? Regards, -- Miolinux
I would like to see some more options for this as well. I don't really like the only option being the Windows user-name form of SHORTDOM\user. I wouldn't mind FULL.REALM\user. Only having Windows short name as an option really doesn't make integration into non-Windows realms very easy. I've expressed this on the list before. On Wed, 2007-07-18 at 16:11 +0200, miolinux wrote:> Hi, > > i've read the thread about idmap customization, i'm planning an > integration between windows AD and MIT kerberos, and i was very > interested on the subject. > > Now we are authenticating windows AD user against mit kerberos realm > with a cross-domain trust, and with windows client everythings works. > > Ie. Authentication is done with kerberos mit and authorization is done > with windows AD. > > Now i'm working to let linux computers authenticate users. What i need > it to Authenticate user agains mit kerberos with pam_krb5 (user@REALM), > and get authorization from windows AD (DOMAIN+user). > > The main problem is that i can force user to append @REALM for > pam_krb5, but i need user to be in form "user" and not "DOMAIN+user" > for a domain that is not the "workgroup" of the computer. > > Would it be much work to add a parameter to specify windbind default > domain to be different from computer workgroup? > > even if a complete customization of user name and group name would be > preferred a custom default domain could be enought for me. > > Is this possible? > > Regards, > > -- > Miolinux
Gerald (Jerry) Carter
2007-Jul-27 14:44 UTC
[Samba] still about winbind idmap customization
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 miolinux wrote:> The main problem is that i can force user to append @REALM for > pam_krb5, but i need user to be in form "user" and not "DOMAIN+user" > for a domain that is not the "workgroup" of the computer.You probably want the auth_to_local option in /etc/krb5.conf. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGqgSkIR7qMdg1EfYRAuqtAJ9ywXwfV+YzwRbSq95uCWHDyH7JfgCbBXlH QdhXI4hmPhw9caBNwduC/n0=G061 -----END PGP SIGNATURE-----